扫描器目标探测模块解析与实现<\/h1>

1. 目标探测概述<\/h2>
目标探测是扫描器的核心功能之一，主要用于识别网络中存活的主机和开放的端口。本文以fscan、GoGo和dddd三款扫描器为例，详细分析其目标探测模块的实现原理和技术细节。<\/p>

2. fscan目标探测实现<\/h2>

2.1 IP地址解析<\/h3>

fscan的IP解析逻辑位于ParseIP<\/code>函数中，主要处理以下几种格式的输入：<\/p>

func<\/span> ParseIP<\/span>(host<\/span> string<\/span>, filename<\/span> string<\/span>, nohosts<\/span> ...<\/span>string<\/span>) (hosts<\/span> []string<\/span>, err<\/span> error<\/span>) {
<\/span><\/span>    if<\/span> filename<\/span> ==<\/span> ""<\/span> &&<\/span> strings<\/span>.Contains<\/span>(host<\/span>, ":"<\/span>) {
<\/span><\/span>        \/\/ 处理带端口的IP格式：192.168.0.0\/16:80
<\/span><\/span><\/span><\/span>        hostport<\/span> :=<\/span> strings<\/span>.Split<\/span>(host<\/span>, ":"<\/span>)
<\/span><\/span>        if<\/span> len(hostport<\/span>) ==<\/span> 2<\/span> {
<\/span><\/span>            host<\/span> = hostport<\/span>[0<\/span>]
<\/span><\/span>            hosts<\/span> = ParseIPs<\/span>(host<\/span>)
<\/span><\/span>            Ports<\/span> = hostport<\/span>[1<\/span>]
<\/span><\/span>        }
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        hosts<\/span> = ParseIPs<\/span>(host<\/span>)
<\/span><\/span>        if<\/span> filename<\/span> !=<\/span> ""<\/span> {
<\/span><\/span>            var<\/span> filehost<\/span> []string<\/span>
<\/span><\/span>            filehost<\/span>, _<\/span> = Readipfile<\/span>(filename<\/span>)
<\/span><\/span>            hosts<\/span> = append(hosts<\/span>, filehost<\/span>...<\/span>)
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    \/\/ 去重处理
<\/span><\/span><\/span><\/span>    hosts<\/span> = RemoveDuplicate<\/span>(hosts<\/span>)
<\/span><\/span>    return<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 存活探测实现<\/h3>
fscan提供了两种存活探测方式：<\/p>
2.2.1 ICMP探测<\/h4>
func<\/span> CheckLive<\/span>(hostslist<\/span> []string<\/span>, Ping<\/span> bool<\/span>) []string<\/span> {
<\/span><\/span>    chanHosts<\/span> :=<\/span> make(chan<\/span> string<\/span>, len(hostslist<\/span>))
<\/span><\/span>    go<\/span> func<\/span>() {
<\/span><\/span>        for<\/span> ip<\/span> :=<\/span> range<\/span> chanHosts<\/span> {
<\/span><\/span>            if<\/span> _<\/span>, ok<\/span> :=<\/span> ExistHosts<\/span>[ip<\/span>]; !ok<\/span> &&<\/span> IsContain<\/span>(hostslist<\/span>, ip<\/span>) {
<\/span><\/span>                ExistHosts<\/span>[ip<\/span>] = struct<\/span>{}{}
<\/span><\/span>                AliveHosts<\/span> = append(AliveHosts<\/span>, ip<\/span>)
<\/span><\/span>            }
<\/span><\/span>            livewg<\/span>.Done<\/span>()
<\/span><\/span>        }
<\/span><\/span>    }()
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2.2 TCP端口探测<\/h4>
func<\/span> PortConnect<\/span>(addr<\/span> Addr<\/span>, respondingHosts<\/span> chan<\/span><-<\/span> string<\/span>, adjustedTimeout<\/span> int64<\/span>, wg<\/span> *<\/span>sync<\/span>.WaitGroup<\/span>) {
<\/span><\/span>    host<\/span>, port<\/span> :=<\/span> addr<\/span>.ip<\/span>, addr<\/span>.port<\/span>
<\/span><\/span>    conn<\/span>, err<\/span> :=<\/span> common<\/span>.WrapperTcpWithTimeout<\/span>("tcp4"<\/span>, fmt<\/span>.Sprintf<\/span>("%s:%v"<\/span>, host<\/span>, port<\/span>), 
<\/span><\/span>        time<\/span>.Duration<\/span>(adjustedTimeout<\/span>)*<\/span>time<\/span>.Second<\/span>)
<\/span><\/span>    if<\/span> err<\/span> ==<\/span> nil<\/span> {
<\/span><\/span>        defer<\/span> conn<\/span>.Close<\/span>()
<\/span><\/span>        address<\/span> :=<\/span> host<\/span> +<\/span> ":"<\/span> +<\/span> strconv<\/span>.Itoa<\/span>(port<\/span>)
<\/span><\/span>        respondingHosts<\/span> <-<\/span> address<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 大网段扫描优化<\/h3>
fscan对大网段(\/8)扫描进行了优化，避免扫描过多IP：<\/p>
func<\/span> parseIP8<\/span>(ip<\/span> string<\/span>) []string<\/span> {
<\/span><\/span>    var<\/span> AllIP<\/span> []string<\/span>
<\/span><\/span>    for<\/span> _<\/span>, i<\/span> :=<\/span> range<\/span> CIDRToIP<\/span>(ip<\/span>) {
<\/span><\/span>        AllIP<\/span> = append(AllIP<\/span>, i<\/span>.String<\/span>())
<\/span><\/span>    }
<\/span><\/span>    return<\/span> AllIP<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> CIDRToIP<\/span>(cidr<\/span> string<\/span>) (IPs<\/span> []net<\/span>.IP<\/span>) {
<\/span><\/span>    _<\/span>, network<\/span>, _<\/span> :=<\/span> net<\/span>.ParseCIDR<\/span>(cidr<\/span>)
<\/span><\/span>    first<\/span> :=<\/span> FirstIP<\/span>(network<\/span>)
<\/span><\/span>    last<\/span> :=<\/span> LastIP<\/span>(network<\/span>)
<\/span><\/span>    return<\/span> pairsToIP<\/span>(first<\/span>, last<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. GoGo目标探测实现<\/h2>
3.1 端口扫描分发<\/h3>
GoGo通过Dispatch<\/code>函数根据端口号分发不同的扫描逻辑：<\/p>
func<\/span> Dispatch<\/span>(result<\/span> *<\/span>pkg<\/span>.Result<\/span>) {
<\/span><\/span>    switch<\/span> result<\/span>.Port<\/span> {
<\/span><\/span>    case<\/span> "137"<\/span>, "nbt"<\/span>:
<\/span><\/span>        nbtScan<\/span>(result<\/span>)
<\/span><\/span>    case<\/span> "135"<\/span>, "wmi"<\/span>:
<\/span><\/span>        wmiScan<\/span>(result<\/span>)
<\/span><\/span>    case<\/span> "oxid"<\/span>:
<\/span><\/span>        oxidScan<\/span>(result<\/span>)
<\/span><\/span>    case<\/span> "icmp"<\/span>, "ping"<\/span>:
<\/span><\/span>        icmpScan<\/span>(result<\/span>)
<\/span><\/span>    case<\/span> "snmp"<\/span>, "161"<\/span>:
<\/span><\/span>        snmpScan<\/span>(result<\/span>)
<\/span><\/span>    case<\/span> "445"<\/span>, "smb"<\/span>:
<\/span><\/span>        smbScan<\/span>(result<\/span>)
<\/span><\/span>    \/\/ ...其他端口处理
<\/span><\/span><\/span><\/span>    default<\/span>:
<\/span><\/span>        initScan<\/span>(result<\/span>)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 基础TCP扫描<\/h3>
func<\/span> initScan<\/span>(result<\/span> *<\/span>pkg<\/span>.Result<\/span>) {
<\/span><\/span>    conn<\/span>, err<\/span> :=<\/span> pkg<\/span>.NewSocket<\/span>("tcp"<\/span>, target<\/span>, RunOpt<\/span>.Delay<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        result<\/span>.Err<\/span> = err<\/span>
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    defer<\/span> conn<\/span>.Close<\/span>()
<\/span><\/span>    result<\/span>.Open<\/span> = true<\/span>
<\/span><\/span>    
<\/span><\/span>    bs<\/span>, err<\/span> :=<\/span> conn<\/span>.Read<\/span>(RunOpt<\/span>.Delay<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        senddataStr<\/span> :=<\/span> fmt<\/span>.Sprintf<\/span>("GET \/%s HTTP\/1.1\r\nHost: %s\r\n\r\n"<\/span>, result<\/span>.Uri<\/span>, target<\/span>)
<\/span><\/span>        bs<\/span>, err<\/span> = conn<\/span>.Request<\/span>([]byte(senddataStr<\/span>), DefaultMaxSize<\/span>)
<\/span><\/span>    }
<\/span><\/span>    pkg<\/span>.CollectSocketResponse<\/span>(result<\/span>, bs<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. dddd目标探测实现<\/h2>
4.1 多阶段探测<\/h3>
dddd采用多阶段探测策略：<\/p>
\/\/ ICMP探测存活
<\/span><\/span><\/span><\/span>if<\/span> !structs<\/span>.GlobalConfig<\/span>.NoICMPPing<\/span> {
<\/span><\/span>    ICMPAlive<\/span> = common<\/span>.CheckLive<\/span>(ips<\/span>, false<\/span>)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ TCP探测存活
<\/span><\/span><\/span><\/span>if<\/span> structs<\/span>.GlobalConfig<\/span>.TCPPing<\/span> {
<\/span><\/span>    tcpAliveIPPort<\/span> :=<\/span> common<\/span>.PortScanTCP<\/span>(uncheck<\/span>, "80,443,3389,445,22"<\/span>,
<\/span><\/span>        structs<\/span>.GlobalConfig<\/span>.NoPortString<\/span>,
<\/span><\/span>        structs<\/span>.GlobalConfig<\/span>.TCPPortScanTimeout<\/span>)
<\/span><\/span>    for<\/span> _<\/span>, tIPPort<\/span> :=<\/span> range<\/span> tcpAliveIPPort<\/span> {
<\/span><\/span>        t<\/span> :=<\/span> strings<\/span>.Split<\/span>(tIPPort<\/span>, ":"<\/span>)
<\/span><\/span>        TCPAlive<\/span> = append(TCPAlive<\/span>, t<\/span>[0<\/span>])
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 SYN扫描集成<\/h3>
dddd集成了masscan进行SYN扫描：<\/p>
\/\/ 调用masscan进行SYN端口扫描
<\/span><\/span><\/span><\/span>masscanArgs<\/span> :=<\/span> []string<\/span>{
<\/span><\/span>    "--ports"<\/span>, ports<\/span>,
<\/span><\/span>    "--rate"<\/span>, strconv<\/span>.Itoa<\/span>(structs<\/span>.GlobalConfig<\/span>.Rate<\/span>),
<\/span><\/span>    "-oG"<\/span>, outputFile<\/span>,
<\/span><\/span>}
<\/span><\/span>masscanArgs<\/span> = append(masscanArgs<\/span>, ips<\/span>...<\/span>)
<\/span><\/span><\/code><\/pre>5. 技术对比与总结<\/h2>



特性<\/th>
fscan<\/th>
GoGo<\/th>
dddd<\/th>
<\/tr>
<\/thead>


IP解析<\/td>
支持CIDR、范围、文件输入<\/td>
支持标准格式<\/td>
支持多种格式<\/td>
<\/tr>

存活探测<\/td>
ICMP\/TCP<\/td>
多协议探测<\/td>
ICMP\/TCP\/SYN<\/td>
<\/tr>

大网段优化<\/td>
随机采样<\/td>
无特别优化<\/td>
无特别优化<\/td>
<\/tr>

端口扫描<\/td>
基础TCP连接<\/td>
协议识别+定制扫描<\/td>
SYN扫描集成<\/td>
<\/tr>

代理支持<\/td>
支持SOCKS5<\/td>
支持HTTP\/SOCKS<\/td>
支持多种代理<\/td>
<\/tr>
<\/tbody>
<\/table>
6. 最佳实践建议<\/h2>


IP解析优化<\/strong>：<\/p>

实现CIDR到IP列表的高效转换<\/li>
对大网段(\/8)采用采样策略<\/li>
支持多种输入格式(文件、范围、CIDR)<\/li>
<\/ul>
<\/li>

存活探测策略<\/strong>：<\/p>

优先使用ICMP探测<\/li>
对ICMP无响应主机尝试TCP探测<\/li>
关键端口(80,443,22,3389等)作为补充<\/li>
<\/ul>
<\/li>

扫描性能优化<\/strong>：<\/p>

使用goroutine和channel实现并发<\/li>
合理设置超时时间<\/li>
实现结果去重和状态管理<\/li>
<\/ul>
<\/li>

协议识别<\/strong>：<\/p>

对常见端口实现定制化探测<\/li>
自动识别HTTP\/HTTPS服务<\/li>
支持特殊协议(如WMI、SNMP等)<\/li>
<\/ul>
<\/li>
<\/ol>
7. 参考实现<\/h2>
\/\/ 综合扫描器示例
<\/span><\/span><\/span><\/span>func<\/span> AdvancedScan<\/span>(targets<\/span> []string<\/span>) {
<\/span><\/span>    \/\/ 阶段1：ICMP存活探测
<\/span><\/span><\/span><\/span>    aliveHosts<\/span> :=<\/span> ICMPProbe<\/span>(targets<\/span>)
<\/span><\/span>    
<\/span><\/span>    \/\/ 阶段2：TCP端口扫描
<\/span><\/span><\/span><\/span>    openPorts<\/span> :=<\/span> TCPScan<\/span>(aliveHosts<\/span>, "80,443,22,3389,445"<\/span>)
<\/span><\/span>    
<\/span><\/span>    \/\/ 阶段3：服务识别
<\/span><\/span><\/span><\/span>    for<\/span> host<\/span>, ports<\/span> :=<\/span> range<\/span> openPorts<\/span> {
<\/span><\/span>        for<\/span> _<\/span>, port<\/span> :=<\/span> range<\/span> ports<\/span> {
<\/span><\/span>            switch<\/span> port<\/span> {
<\/span><\/span>            case<\/span> 80<\/span>, 443<\/span>:
<\/span><\/span>                result<\/span> :=<\/span> HTTPProbe<\/span>(host<\/span>, port<\/span>)
<\/span><\/span>            case<\/span> 445<\/span>:
<\/span><\/span>                result<\/span> :=<\/span> SMBProbe<\/span>(host<\/span>)
<\/span><\/span>            \/\/ 其他端口处理...
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>8. 参考文献<\/h2>

fscan源码: https:\/\/github.com\/shadow1ng\/fscan<\/li>
GoGo文档: https:\/\/chainreactors.github.io\/wiki\/gogo<\/li>
dddd源码: https:\/\/github.com\/SleepingBag945\/dddd<\/li>
网络扫描技术详解: https:\/\/xz.aliyun.com\/t\/15318<\/li>
<\/ol>

特性<\/th>	fscan<\/th>	GoGo<\/th>	dddd<\/th> <\/tr> <\/thead>
IP解析<\/td>	支持CIDR、范围、文件输入<\/td>	支持标准格式<\/td>	支持多种格式<\/td> <\/tr>
存活探测<\/td>	ICMP\/TCP<\/td>	多协议探测<\/td>	ICMP\/TCP\/SYN<\/td> <\/tr>
大网段优化<\/td>	随机采样<\/td>	无特别优化<\/td>	无特别优化<\/td> <\/tr>
端口扫描<\/td>	基础TCP连接<\/td>	协议识别+定制扫描<\/td>	SYN扫描集成<\/td> <\/tr>
代理支持<\/td>	支持SOCKS5<\/td>	支持HTTP\/SOCKS<\/td>	支持多种代理<\/td> <\/tr> <\/tbody> <\/table> 6. 最佳实践建议<\/h2> IP解析优化<\/strong>：<\/p> 实现CIDR到IP列表的高效转换<\/li> 对大网段(\/8)采用采样策略<\/li> 支持多种输入格式(文件、范围、CIDR)<\/li> <\/ul> <\/li> 存活探测策略<\/strong>：<\/p> 优先使用ICMP探测<\/li> 对ICMP无响应主机尝试TCP探测<\/li> 关键端口(80,443,22,3389等)作为补充<\/li> <\/ul> <\/li> 扫描性能优化<\/strong>：<\/p> 使用goroutine和channel实现并发<\/li> 合理设置超时时间<\/li> 实现结果去重和状态管理<\/li> <\/ul> <\/li> 协议识别<\/strong>：<\/p> 对常见端口实现定制化探测<\/li> 自动识别HTTP\/HTTPS服务<\/li> 支持特殊协议(如WMI、SNMP等)<\/li> <\/ul> <\/li> <\/ol> 7. 参考实现<\/h2> \/\/ 综合扫描器示例 <\/span><\/span><\/span><\/span>func<\/span> AdvancedScan<\/span>(targets<\/span> []string<\/span>) { <\/span><\/span> \/\/ 阶段1：ICMP存活探测 <\/span><\/span><\/span><\/span> aliveHosts<\/span> :=<\/span> ICMPProbe<\/span>(targets<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 阶段2：TCP端口扫描 <\/span><\/span><\/span><\/span> openPorts<\/span> :=<\/span> TCPScan<\/span>(aliveHosts<\/span>, "80,443,22,3389,445"<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 阶段3：服务识别 <\/span><\/span><\/span><\/span> for<\/span> host<\/span>, ports<\/span> :=<\/span> range<\/span> openPorts<\/span> { <\/span><\/span> for<\/span> _<\/span>, port<\/span> :=<\/span> range<\/span> ports<\/span> { <\/span><\/span> switch<\/span> port<\/span> { <\/span><\/span> case<\/span> 80<\/span>, 443<\/span>: <\/span><\/span> result<\/span> :=<\/span> HTTPProbe<\/span>(host<\/span>, port<\/span>) <\/span><\/span> case<\/span> 445<\/span>: <\/span><\/span> result<\/span> :=<\/span> SMBProbe<\/span>(host<\/span>) <\/span><\/span> \/\/ 其他端口处理... <\/span><\/span><\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>8. 参考文献<\/h2> fscan源码: https:\/\/github.com\/shadow1ng\/fscan<\/li> GoGo文档: https:\/\/chainreactors.github.io\/wiki\/gogo<\/li> dddd源码: https:\/\/github.com\/SleepingBag945\/dddd<\/li> 网络扫描技术详解: https:\/\/xz.aliyun.com\/t\/15318<\/li> <\/ol>

扫描器目标探测模块解析与实现<\/h1>

1. 目标探测概述<\/h2> 目标探测是扫描器的核心功能之一，主要用于识别网络中存活的主机和开放的端口。本文以fscan、GoGo和dddd三款扫描器为例，详细分析其目标探测模块的实现原理和技术细节。<\/p>

2. fscan目标探测实现<\/h2>

2.2 存活探测实现<\/h3> fscan提供了两种存活探测方式：<\/p>

3. GoGo目标探测实现<\/h2>

4. dddd目标探测实现<\/h2>

8. 参考文献<\/h2> fscan源码: https:\/\/github.com\/shadow1ng\/fscan<\/li> GoGo文档: https:\/\/chainreactors.github.io\/wiki\/gogo<\/li> dddd源码: https:\/\/github.com\/SleepingBag945\/dddd<\/li> 网络扫描技术详解: https:\/\/xz.aliyun.com\/t\/15318<\/li> <\/ol>

1. 目标探测概述<\/h2>
目标探测是扫描器的核心功能之一，主要用于识别网络中存活的主机和开放的端口。本文以fscan、GoGo和dddd三款扫描器为例，详细分析其目标探测模块的实现原理和技术细节。<\/p>

2.2 存活探测实现<\/h3>
fscan提供了两种存活探测方式：<\/p>

8. 参考文献<\/h2>

fscan源码: https:\/\/github.com\/shadow1ng\/fscan<\/li>
GoGo文档: https:\/\/chainreactors.github.io\/wiki\/gogo<\/li>
dddd源码: https:\/\/github.com\/SleepingBag945\/dddd<\/li>
网络扫描技术详解: https:\/\/xz.aliyun.com\/t\/15318<\/li> <\/ol>